{
	"id": "2f7cd3f7-4e80-476f-8d1f-a6c4d1b72d92",
	"created_at": "2026-04-06T00:14:01.922229Z",
	"updated_at": "2026-04-10T03:33:16.473476Z",
	"deleted_at": null,
	"sha1_hash": "308ef1450ca7a582f71451040112099fb57f0682",
	"title": "SocGholish Malware: A Real Threat from a Fake Update | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 475288,
	"plain_text": "SocGholish Malware: A Real Threat from a Fake Update |\r\nProofpoint US\r\nBy November 22, 2022 Andrew Northern\r\nPublished: 2022-11-21 · Archived: 2026-04-05 17:36:54 UTC\r\nKey Findings:\r\nSocGholish, while relatively easy to detect, is difficult to stop.\r\nCareful campaign management makes analysis difficult for incident responders.\r\nSocGholish is delivered via injected JavaScript on compromised websites.\r\nProofpoint attributes SocGholish activity to the threat actor TA569.\r\nOverview\r\nSocGholish is a malware variant which continues to thrive in the current information security landscape. By\r\nutilizing an extensive variety of stages, eligibility checks, and obfuscation routines, it remains one of the most\r\nelusive malware families to date. SocGholish was observed in the wild as early as 2018. The absence of details\r\nsurrounding target selection, evasion logic, and specific procedures employed by TA569 and their use of\r\nSocGholish in the intermediary phases of infection contributes to this shroud of mystery.\r\nSocGholish Details\r\nSocGholish is primarily known for its “drive-by” download style of initial infection. Such attacks employ\r\nmalicious JavaScript, which is injected into compromised, but otherwise legitimate, websites. If an unsuspecting\r\nvictim receives an email containing a link to a compromised website and clicks on it, the injected JavaScript will\r\nexecute upon the browser loading the page.\r\nIf the victim’s browser meets the eligibility requirements for infection (using a Windows host, originating from an\r\nexternal source, and specific cookie checks), the user will be presented with the download for a file masquerading\r\nas a browser update. By loading this update prompt from the intended domain, it bolsters the purported\r\nauthenticity of the update.\r\nThis second stage prompts the user to download and execute. Additional eligibility checks are performed prior to\r\nserving a compressed archive containing a JavaScript file. An example of the filename would be\r\n“AutoUpdater.js.”\r\nOnce the targeted user executes the malicious payload, the third stage of the SocGholish attack chain begins. A\r\nseries of Windows Management Instrumentation (WMI) calls are invoked by the parent process executing the\r\nJavaScript payload (wscript was observed in this current generation though cscript or other native Windows script\r\nhosts could be leveraged). These WMI calls serve to profile the system to ascertain further eligibility for\r\nadditional follow-on payloads. Data such as domain trusts, username, and computer name are exfiltrated to the\r\nhttps://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update\r\nPage 1 of 5\n\nattacker-controlled infrastructure. This reconnaissance phase is yet another opportunity for the TAs to avoid\r\ndeploying their ultimate payload in an analysis environment.\r\nFigure 1: SocGholish Overview\r\nFigure 2: Fake Update Served\r\nhttps://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update\r\nPage 2 of 5\n\nInitial Lure – Phishing OR Traffic Funneling?\r\nWhile the tactics of most phishing campaigns are similar across the spectrum of malware, SocGholish deviates\r\nfrom norms by taking a pass on all traditional hallmarks of phishing campaigns.\r\nNo observed call to action\r\nNo observed sense of urgency\r\nNo threats or promises of rewards\r\nNo blatant trickery or misdirection\r\nInstead, Threat Research has observed SocGholish being leveraged in email campaigns with injections on sites\r\nthat meet one of two criteria:\r\n1. Extensive marketing and legitimate email advertising campaigns.\r\n2. Strong SEO (Search Engine Optimization) and page rank causing aggregation and dissemination by\r\nGoogle Alerts and other similar services.\r\nIt is worth noting though that the vast majority of SocGholish injects are not visible in email campaigns. At the\r\ndate of publication, Threat Research is tracking over 1000 active implants while only observing a small fraction of\r\nthose within our own data. According to a two-week sample of SocGholish infection traffic, Proofpoint identified\r\nnearly 300 infected websites targeting users in multiple countries, including Poland, Italy, France, Iran, Spain,\r\nGermany, the United Kingdom, and the United States, among others.\r\nThis begs the question, “Are there multiple types of campaigns with distinct tactics and targeting?”\r\nThe current generation of SocGholish implants requires a redirect from a specifically formatted source so simply\r\ntyping in the URL and visiting the page is not enough to trigger the initial JavaScript. This, coupled with other\r\nobservations, merits Threat Research to assess with moderate confidence that TAs are, in some aspect, relying on\r\nthe aggregation of injected links by services like Google Alerts and other aggregate feeds and are not directly\r\ndistributing the URLs via email. Rather, infected URLs are sent legitimately by a user, aggregate service, or\r\nmarketing service without knowledge that the web page is injected with SocGholish.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update\r\nPage 3 of 5\n\nFigure 3: SocGholish delivered via Google Alert\r\nPutting it All Together\r\nProofpoint assesses with high confidence TA569 is a financially motivated threat actor who almost certainly\r\nmonetizes access gained through the exclusive use and sale of SocGholish infections. Through our investigation\r\nand collaboration with partners, Proofpoint has identified that malware deployed after SocGholish will vary based\r\nupon the profile of the infected victim’s machine. If the target is domain joined, ransomware, including but not\r\nlimited to WastedLocker, Hive, and LockBit, is commonly deployed according to a variety of incident response\r\njournals. If the victim is not domain joined, a remote access trojan (RAT) will be deployed. Proofpoint assesses\r\nwith moderate confidence that the deployment of a RAT is an attempt to harvest credentials to secure a foothold\r\non a network suitable for ransomware deployment, such as the target’s employer. Regardless of the victim’s\r\nprofile, TA569 is extremely aggressive in deploying follow-on malware leading to a remarkably low dwell time.\r\nThe follow-on ransomware activity referenced in this report overlaps with activity publicly reported as EvilCorp,\r\nGold Drake, and UNC2165. As TA569 focuses on initial access into target environments, Proofpoint does not\r\nsuggest equivalence in attribution between TA569 and actors conducting post-infection activity.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update\r\nPage 4 of 5\n\nFigure 4: SocGholish as part of a kill chain\r\nConclusion\r\nUsers should be aware of novel social engineering and exploitation mechanisms used by TA569 to deliver\r\nmalicious payloads, even from trusted sources. This attack chain underscores the importance of consistent, clear\r\ncommunication from organizations concerning user awareness training and software update best practices.\r\nSocGholish remains a serious threat to enterprises due to it being delivered through legitimate means and the\r\nspeed at which the attack progresses from initial access to ransomware. Defenders must be diligent in evaluating\r\nalerts and must not be quick to dismiss them as false positives.\r\nLearn more\r\nFor more on this topic, register to attend our webinar, Threat Research Flash Brief: SocGholish Poisons Supply\r\nChain for Major Media Websites, on Tuesday, November 22, 2022, at 10 AM PT, or watch it on demand.\r\nIn our next report on TA569, we’ll dive deep into the injections, payloads, and changes in activity observed in\r\n2022 from this threat actor. Stay tuned!\r\nSource: https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update\r\nhttps://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update"
	],
	"report_names": [
		"part-1-socgholish-very-real-threat-very-fake-update"
	],
	"threat_actors": [
		{
			"id": "50068c14-343c-4491-b568-df41dd59551c",
			"created_at": "2022-10-25T15:50:23.253218Z",
			"updated_at": "2026-04-10T02:00:05.234464Z",
			"deleted_at": null,
			"main_name": "Indrik Spider",
			"aliases": [
				"Indrik Spider",
				"Evil Corp",
				"Manatee Tempest",
				"DEV-0243",
				"UNC2165"
			],
			"source_name": "MITRE:Indrik Spider",
			"tools": [
				"Mimikatz",
				"PsExec",
				"Dridex",
				"WastedLocker",
				"BitPaymer",
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "ebc139d2-7450-46f5-a9e4-e7d561133fa5",
			"created_at": "2024-04-24T02:00:49.453475Z",
			"updated_at": "2026-04-10T02:00:05.321256Z",
			"deleted_at": null,
			"main_name": "Mustard Tempest",
			"aliases": [
				"Mustard Tempest",
				"DEV-0206",
				"TA569",
				"GOLD PRELUDE",
				"UNC1543"
			],
			"source_name": "MITRE:Mustard Tempest",
			"tools": [
				"SocGholish",
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b296f34c-c424-41da-98bf-90312a5df8ef",
			"created_at": "2024-06-19T02:03:08.027585Z",
			"updated_at": "2026-04-10T02:00:03.621193Z",
			"deleted_at": null,
			"main_name": "GOLD DRAKE",
			"aliases": [
				"Evil Corp",
				"Indrik Spider ",
				"Manatee Tempest "
			],
			"source_name": "Secureworks:GOLD DRAKE",
			"tools": [
				"BitPaymer",
				"Cobalt Strike",
				"Covenant",
				"Donut",
				"Dridex",
				"Hades",
				"Koadic",
				"LockBit",
				"Macaw Locker",
				"Mimikatz",
				"Payload.Bin",
				"Phoenix CryptoLocker",
				"PowerShell Empire",
				"PowerSploit",
				"SocGholish",
				"WastedLocker"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "3bf456e4-84ee-48fd-b3ab-c10d54a48a34",
			"created_at": "2024-06-19T02:03:08.096988Z",
			"updated_at": "2026-04-10T02:00:03.82859Z",
			"deleted_at": null,
			"main_name": "GOLD PRELUDE",
			"aliases": [
				"Mustard Tempest ",
				"TA569 ",
				"UNC1543 "
			],
			"source_name": "Secureworks:GOLD PRELUDE",
			"tools": [
				"SocGholish"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "9806f226-935f-48eb-b138-6616c9bb9d69",
			"created_at": "2022-10-25T16:07:23.73153Z",
			"updated_at": "2026-04-10T02:00:04.729977Z",
			"deleted_at": null,
			"main_name": "Indrik Spider",
			"aliases": [
				"Blue Lelantos",
				"DEV-0243",
				"Evil Corp",
				"G0119",
				"Gold Drake",
				"Gold Winter",
				"Manatee Tempest",
				"Mustard Tempest",
				"UNC2165"
			],
			"source_name": "ETDA:Indrik Spider",
			"tools": [
				"Advanced Port Scanner",
				"Agentemis",
				"Babuk",
				"Babuk Locker",
				"Babyk",
				"BitPaymer",
				"Bugat",
				"Bugat v5",
				"Cobalt Strike",
				"CobaltStrike",
				"Cridex",
				"Dridex",
				"EmPyre",
				"EmpireProject",
				"FAKEUPDATES",
				"FakeUpdate",
				"Feodo",
				"FriedEx",
				"Hades",
				"IEncrypt",
				"LINK_MSIEXEC",
				"MEGAsync",
				"Macaw Locker",
				"Metasploit",
				"Mimikatz",
				"PayloadBIN",
				"Phoenix Locker",
				"PowerShell Empire",
				"PowerSploit",
				"PsExec",
				"QNAP-Worm",
				"Raspberry Robin",
				"RaspberryRobin",
				"SocGholish",
				"Vasa Locker",
				"WastedLoader",
				"WastedLocker",
				"cobeacon",
				"wp_encrypt"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "6c4f98b3-fe14-42d6-beaa-866395455e52",
			"created_at": "2023-01-06T13:46:39.169554Z",
			"updated_at": "2026-04-10T02:00:03.23458Z",
			"deleted_at": null,
			"main_name": "Evil Corp",
			"aliases": [
				"GOLD DRAKE"
			],
			"source_name": "MISPGALAXY:Evil Corp",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "544cac23-af15-4100-8f20-46c07962cbfa",
			"created_at": "2023-01-06T13:46:39.484133Z",
			"updated_at": "2026-04-10T02:00:03.34364Z",
			"deleted_at": null,
			"main_name": "GOLD PRELUDE",
			"aliases": [
				"TA569",
				"UNC1543"
			],
			"source_name": "MISPGALAXY:GOLD PRELUDE",
			"tools": [
				"FakeUpdates",
				"FakeUpdate",
				"SocGholish"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434441,
	"ts_updated_at": 1775791996,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/308ef1450ca7a582f71451040112099fb57f0682.pdf",
		"text": "https://archive.orkl.eu/308ef1450ca7a582f71451040112099fb57f0682.txt",
		"img": "https://archive.orkl.eu/308ef1450ca7a582f71451040112099fb57f0682.jpg"
	}
}